LINUX 3.2 FILE PERMISSION.docx
Document Details
Uploaded by FinerZircon
Tags
Full Transcript
**Understanding Linux File Permissions** - The core of the Linux security system is the user account. Each individual who accesses a Linux system should have a unique user account assigned. The users' permissions to objects on the system depend on the user account they log in with. -...
**Understanding Linux File Permissions** - The core of the Linux security system is the user account. Each individual who accesses a Linux system should have a unique user account assigned. The users' permissions to objects on the system depend on the user account they log in with. - User permissions are tracked using a user ID (often called a UID), which is assigned to an account when it's created. The UID is a numerical value, unique for each user. However, you don't log in to a Linux system using your UID. Instead, you use a login name. The login name is an alphanumeric text string of eight characters or fewer that the user uses to log in to the system (along with an associated password). - The Linux system uses special files and utilities to track and manage user accounts on the system. Before we can discuss file permissions, we need to discuss how Linux handles user accounts. This section describes the files and utilities required for user accounts so that you can understand how to use them when working with fi le permissions. - **The /etc/passwd file** - The Linux system uses a special file to match the login name to a corresponding UID value. This file is the /etc/passwd file. - The /etc/passwd file contains several pieces of information about the user. Here's what a typical /etc/passwd file looks like on a Linux system: **The root user account is the administrator for the Linux system and is always assigned UID 0.** **How to find the UID and GID** sudo cat /etc/passwd ![https://hackernoon.imgix.net/images/DnM5WgkJX9PAAxTVqdj5kekUt8K2-ac93lka.png](media/image2.png) **The columns are as follows:** - Column 1 -- Name - Column 2 -- Password -- If the user has set a password on this field, then it is indicated with the letter (x). - Column 3 -- UID (User ID) - Column 4 -- GID (Group ID) - Column 5 -- Gecos -- Contain general information about the user and can be empty. - Column 6 -- Home directory - Column 7 -- Shell -- The path to the default shell for the user. - **The /etc/shadow file** - The /etc/shadow file provides more control over how the Linux system manages passwords. Only the root user has access to the /etc/shadow file, making it more secure than the /etc/passwd file. The /etc/shadow file contains one record for each user account on the system. A record looks like this: rich:\$1\$.FfcK0ns\$f1UgiyHQ25wrB/hykCn020:11627:0:99999:7::: - There are nine fields in each /etc/shadow file record: The login name corresponding to the login name in the /etc/passwd file The encrypted password The number of days since January 1, 1970, that the password was last changed The minimum number of days before the password can be changed The number of days before the password must be changed The number of days before password expiration that the user is warned to change the password The number of days after a password expires before the account will be disabled The date (stored as the number of days since January 1, 1970) since the user account was disabled A field reserved for future use Using the shadow password system, the Linux system has much finer control over user passwords. It can control how often a user must change his or her password and when to disable the account if the password hasn't been changed. - **Types of Linux Users** ======================== Linux is a highly secure operating system that depends on strict file permissions dictating which users and groups can access them **1. Admin or Non-admin:** A Linux user is either an administrator or non-administrator. The administrator is a superuser (or root user) with full control over the entire system. With that in mind, it is important to ensure that only a very limited number of folks have read and write permissions on all the files in the entire system. In contrast, a non-administrator by default has limited (or no) access to certain system/configuration files. **2. Normal user:** A majority of the accounts will be non-administrators. These users can be divided into two subtypes: normal user or system user. Normal users are real people. The individual is given a user account for login and limited access to computer applications, files, and resources. **3. System user:** A system user is typically a non-human or computer-generated account. System users are created to run a specific program or process/daemon such as a web server or backup program. This type of "user" is limited in control and is assigned only enough access to manage its particular process. - **Users and Groups in Linux** ============================= - On a Linux system, all users added are assigned a name, unique user identification (UID), group, and group identification (GID). When a user is initially created, a new UID and matching GID are assigned. =========================================================================================================================================================================================================== - UID and matching GID numbers are assigned based on the type of user: - **Administrator (root): UID and GID = 0** - **System user (computer-generated):** UID and GID assigned from 1 to 999 - **Normal users (real people):** UID and GID = 1000 or greater, incremented with every new user - The new user is by default assigned a matching group name (and typically a matching GID) so that the user will be a member of their own group. For example, a user (UID = 1000) will also be assigned to the group (GID = 1000). - **Using Linux Groups** - User accounts are great for controlling security for individual users, but they aren't so good at allowing groups of users to share resources. To accomplish this, the Linux system uses another security concept, called groups. - Group permissions allow multiple users to share a common set of permissions for an object on the system, such as a fi le, directory, or device (more on that later in the "Decoding File Permissions" section). - You should never add users to groups by editing the /etc/group fi le. Instead, use the usermod command to add a user account to a group. Before you can add users to different groups, you must create the groups. - **Creating new group** - The groupadd command allows you to create new groups on your system: ![](media/image4.png) - When you create a new group, no users are assigned to it by default. The **groupadd** command doesn't provide an option for adding user accounts to the group. Instead, to add new users, use the usermod command: - **Modifying groups** - As you can see from the /etc/group file, you don't need to modify much information about a group. The groupmod command allows you to change the GID (using the -g parameter) or the group name (using the -n parameter) of an existing group. ![](media/image6.png) - **Decoding File Permissions** - Using file permission symbols - The ls command allows you to see the file permissions for fi les, directories, and devices on the Linux system: - The first field in the output listing is a code that describes the permissions for the files and directories. The first character in the field defines the type of the object: - After that, you see three sets of three characters. Each set of three characters defines an access permission triplet: - The three sets relate the three levels of security for the object: ![](media/image8.png) - These permissions indicate that the user login name rich can read, write, and execute the file (considered full permissions). Likewise, members in the group rich can also read, write, and execute the fi le. However, anyone else not in the rich group can only read and execute the file; the w is replaced with a dash, indicating that write permissions are not assigned to this security level. Let's break down the permissions line for **file-1.txt** from the screenshot: -rw-rw-r\-- - Note: the first character identifies the resource as either a directory (d) or file (-). - The following nine characters should actually be read as triplets: rw- for the file owner, rw- for the group(s) that have permission to the file, and r\-- for all others. What do these symbols mean? - read (r) = contents can be viewed but not edited, renamed, added, or deleted - write (w) = contents can be viewed, edited, renamed, added, and deleted - execute (x) = contents can run as a program or script - (-) = permissions don't apply - So, the permissions shown for **file-1.txt** means that the owner can read and write, the group can read and write, and all others can only read. - **Read-write-execute permissions can also be written as numbers,** with each being a power of two. Each set of triplets can be expressed as the sum of the permissions that apply. - **read: 4** - **write: 2** - **Execute: 1** - **No permission: 0** - Owner: rwx = 4+2+1 = 7 - Group: r\-- = 4+0+0 = 4 - Others: r\-- = 4+0+0 = 4 - **Default file permissions** You may be wondering about where these file permissions come from. The answer is umask. The umask command sets the default permissions for any file or directory you create. ![](media/image10.png) ![](media/image12.png) - **Changing Security Settings** - Changing permissions The chmod command allows you to change the security settings for fi les and directories. **The format of the chmod command is:** **chmod options mode file** - The mode parameter allows you to set the security settings using either octal or symbolic mode. The octal mode settings are pretty straightforward; just use the standard three-digit octal code you want the file to have: \$ chmod 760 newfile \$ ls -l newfile -rwxrw\-\-\-- 1 rich rich 0 Sep 20 19:16 newfile \$ - The octal file permissions are automatically applied to the fi le indicated. The symbolic mode permissions are not so easy to implement. - Instead of using the normal string of three sets of three characters, the chmod command takes a different approach. - **The following is the format for specifying a permission in symbolic mode:** **\[ugoa...\]\[\[+-=\]\[rwxXstugo...\]** - Makes perfectly good sense, doesn't it? The first group of characters defines to whom the new permissions apply: u for the user g for the group o for others (everyone else) a for all of the above - Next, a symbol is used to indicate whether you want to add the permission to the existing permissions (+), subtract the permission from the existing permission (−), or set the permissions to the value (=). - Finally, the third symbol is the permission used for the setting. You may notice that there are more than the normal rwx values here. These are the additional settings: X assigns execute permissions only if the object is a directory or if it already had execute permissions. s sets the UID or GID on execution. t saves program text. u sets the permissions to the owner's permissions. g sets the permissions to the group's permissions. o sets the permissions to the other's permissions. ![](media/image14.png) - **Changing ownership** - Sometimes, you need to change the owner of a file, such as when someone leaves an organization or a developer creates an application that needs to be owned by a system account when it's in production. **Linux provides two commands for doing that.** - The chown command makes it easy to change the owner of a fi le, and the chgrp command allows you to change the default group of a file. - **The format of the chown command is:** **chown options owner\[.group\] file** ![](media/image16.png) - Finally, if your Linux system uses individual group names that match user login names, you can change both with just one entry: ![](media/image18.png)